Corporations and other large organizations often interconnect various computer systems into networks in support of their operations. For example, such computer networks may be composed of one or more private networks linked to multiple, geographically-dispersed computer systems that themselves may be linked via interconnecting networks. Modern virtualization technologies, such as VMWare and XEN, simply the operation, maintenance, and configuration of such virtual networks. However, such networks are still vulnerable to “spoofing” attacks that inject packets into authorized network traffic, as well as “man-in-the-middle” attacks that intercept and modify data packets during transmission across the virtual network. In addition, information transmitted via such networks may be “sniffed” by unauthorized parties.
Modern communications protocols, such as the IPSec protocol for securing packetized communications, support the authentication and integrity checking of transmitted data packets. In such protocols, a “security association” is established between two communicating entities based on a negotiation and mutual exchange of cryptographic information. For example, in IPSec, the Internet Key Exchange (IKE) protocol establishes the security association through the negotiation and mutual authentication of a shared secret, from which shared cryptographic keys are derived. Once the security association is established, a sending entity will be able to hash, encrypt, and sign transmitted data packages, and the receiving entity will be able to receive and verify that signature.
However, the negotiation processes common to the IKE protocol are often impractical to implement in virtual networks. For example, such protocols require the exchange and subsequent verification of data using multiple messages before the shared secret is defined. These messages, when exchanged in a virtual network environment, may be subject to various attacks that could compromise the key exchange process in the virtual network environment. Therefore, systems and methods are needed to overcome the limitations of traditional key exchange and key generation processes within virtual networks.